See also: IRC log
MEZ: not quite there to talk about rec-track stuff; would like to recap some stuff from yesterday's discussion ...
IRC log from yesterday: http://www.w3.org/2006/11/14-wsc-irc.html
(There will be a more readable HTML rendering of that.)
<stephenF> is there a keyword in yesterday's log we can search on?
MEZ: Goals ...
... non-goals ...
... assumptions ...
... use cases/secenarios ...
... user test / verification ...
... sec ctx avail ...
... browsers / UAs ...
... content practices ...
<stephenF> (this is the TOC for the note? if so, good)
MEZ: attacks ...
... non-attacks ...
(this is what MEZ is scribbling on the whiteboard)
??: Add in-scope to "goals", out-of-scope to "non-goals"
MEZ: ... flesh out some of the discussion more
...
... good start on avaiable context ...
... some stuff on use cases ...
... got tyler as editor ...
<stephenF> I'd be interested in knowing if any non-goals were agreed yesterday (anytime, not necessarily now)
<stephenF> ok, good
MEZ: what are the stages we plan on doing? How
do we validate and/or convince ourselves that we come up with useful
recommendations?
... kinds of things I can think of ...
... expert review by HCI community ...
... can do those on paper goods ...
... example scenarios ...
... try to gather expert feed-back ...
... other end is user testing ...
... could be paper-based or code/mockup based testing ...
... some HCI folks actually prefer paper-based since people feel their
feed-back is more useful ...
... all this will require example scenarios ...
... and then there's Phil's early direction: theories and principles ...
... that can range from 7+-2 short-term memory ...
... through "dialogue boxes are evil" ...
... through safe staging ...
... related to idiot boxes ...
... might need to pull in basic theories as basis for discussions ...
hal: maybe proposed mechanisms, mock up
alternatives ...
... rapid prototyping common in UI development, showing stuff to users ...
(more discussion about usability testing)
<stephenF> (I'm getting more from the IRC than the audio, so I'm going to IRC-only mode now)
MEZ: as standards body hard-pressed to do better than industry or researchers ...
<malware> concise definition of "safe staging" anywhere?
MEZ: there is substantive amount of reserach
papers ...
... getting test subjects is hard ...
<Yakov> I am also having problems with the audio
<stephenF> it wasn't so much problems, but lack of added-value compared t the excellent scribing
malware: good definition of safe staging?
mez: don't make users make security decisions
when they're not ready to
... if you make them make a decision, it'll be a bad one ...
phb: idiot boxes are problem for many reasons
...
... instead of providing good and usable interface, press liability to user
...
billd: dilutes further information that might be important
tlr: use cases ought to be useful for usability testing
mez: yeah, they'll probably be useful
... worry that sometimes security engineering is targeted towards defending
stuff against unknown attacks ...
hal: there might be unknown attacks in the use cases
maritza: Would like use cases feed into
scenario-based user testing ...
... one of the thing have been thinking about a lot is how to present use
cases to user ...
... "decide if site is secure using whatever information you get" ...
... or test some kind of task and then look how securely they do them ...
... if you do it the first well and they fail, that's good information ...
... but if the first one succeeds, it doesn't tell you the mechanism works
...
mez: that comes up a lot in usability testing
...
... lab vs in-the-wild bias ...
... comes back much more strongly when testing for security ...
... security by itself is never main goal ...
maritza: if someone is watching you, you'll always want to be seen paying attention ...
Scribe misses some remarks from MEZ.
tjh: besides published headlines about people walking around streets and giving passwords up for a candy -- is there reliable research?
mez: there is a lot of data out there
<stephenF> "out there" == "where?"
mez: attitudes and what they mean ...
<scribe> out there == research literature
<Pau1> Angela who? I couldn't hear the last name of the researcher.
<stephenF> good if better literature pointers are done, better on the list
<scribe> ACTION: Zurko to put together set of background references [recorded in http://www.w3.org/2006/11/15-wsc-minutes.html#action02]
<trackbot> Created ACTION-20 - Put together set of background references [on Mary Ellen Zurko - due 2006-11-22].
<scribe> ACTION: maritza to help MEZ with ACTION-20 [recorded in http://www.w3.org/2006/11/15-wsc-minutes.html#action03]
<trackbot> Created ACTION-21 - Help MEZ with ACTION-20 [on Maritza Johnson - due 2006-11-22].
<Pau1> http://www.cs.ucl.ac.uk/staff/a.sasse/
(discussion about relevant literature)
mez: Need to do some of the usability testing, we'll see how much we can.
Hal: There's issue around recs working on every
platform ..
... sipmle example: Things that you click on are in different places on
different platforms ...
mez: good point
phb: stuff that I've been reading on usability
is all on testing ...
... have yet to find a book about usability engineering ...
... books say "you design thing, then you test it" ...
... would like to see design principles ...
mez: the design for usability discpline is
called: ...
... DESIGN ...
... there's always testing in the life cycle ...
... there's usability design discpline ...
... roles and personas come from that end of spectrum ...
... UI design part craft, part art ...
phb: lots of stuff on the "craft" level?
... what's the model of the user, the mental facilities, etc
mez: design doesn't happen that way
... people aren't like code ...
phb: maximum cap not definable, but you can do a good model of the minimum user ...
tlr: there's a difference between what level we should recommend stuff on, and what level things get tested on
tyler: recommend specific widgets?
hal: there's a level of detail we're probably
not going below of ...
... part of the process ought to be how specific we can afford to be ...
... we need to find the point where we ought to specify things ...
malware: one example we had is very simple --
see EV certificates ...
... CA browser forum work ...
... in that case, didn't evolve from spec, but evolved from MS saying we'll
implement in a certain way ..
... instead of lock icon and address bar, green background ...
... decided before spec came along ...
... don't remember whether it's in the spec ...
... there's agreement between browser vendors to have certain level of
consistency ...
... in MS case, it's white around address bar, changing to light green ...
... in Opera's case, outline around the screen?
hal: do sth like that for SSL?
malware: yellow
... think it's not totally inappropriate to do things kind of high-level --
say things about colors ...
... but don't go into too much of a detail ...
... there's room for specific recommendations, in particular when based on
solid usability insights ...
... in that case, can get accepted by browser vendors ...
... stuff that needs to be consistent ...
... high-level spec to ensure that things are consistent ...
... if there's no spec, will just talk to each other to see what to do ...
phb: IE decided to adopt same icon as Firefox
for RSS/Atom feeds ...
... people do recognize that there's interest in standardization & using
similar cues ...
... if that's better done offline (private agreement) or better done from
center ...
... don't know ...
... when you do anything like logotype, at least define increments ...
... for logotype, might give range of specific sizes, e.g. ...
... menu of possible sizes ...
... reduce space of possibilities ...
billd: cues are important to standardize on
...
... cues back are really important -- "this is a shaky certificate" ...
... don't have the cues on your own computer, general sense ...
mez: There's research on attention and security -> reading list
maritza: firefox does URL bar thing, but nobody
knows what to look for
... assuming that we do decide on some standard -- when or how is it
introduced to the user ...
... users knowning what is going on is important for effectiveness ...
tjh: it's word of mouth or folklore
mez: for standards, it's product uptake
tlr: consistency might help user education
<stephenF> gotta go lecture back in ~1 hr
maritza: didn't know what yellow bar was for, hadn't made connection
tjh: certainly won't work things from release notes
hal: if you've got a standard, then you can advertise
tyler: use this WG to have browser makers
agree
... is opera going to discuss results from this WG with development
process?
Malware: we'll need to get the guy who
implements security stuff involved ...
... Yngve ...
... opportunity to get back to product people ...
<Zakim> malware, you wanted to talk about how to make users aware of security features through UI and to talk about feed icon
malware: how do you make users aware?
... came up with regard to security stuff ...
... users often don't know what something means ...
... one of solutions that have been used ...
... paper clip isn't liked by users -- anti-pattern? ...
... hard to put sth into applicaiton to alert users ...
... brilliant ideas around? ...
... user education about products without relying on online help ...
... users don't go out of their way to educate themselves ...
... feed icon is actually trademarked by mozilla ...
... they tried to exercise control over its use ...
... things that are intended for widespread use shouldn't be under control of
one entity ...
<Yakov> out for 15min
discussion betw malware and tjh about feed icon
tjh: other forms of cueing?
mez: lots of research on this problem
... but there's a lot of reasons why not in products ...
maritza: commenting on clippy ..
... people want to learn about security according to surveys ...
... but don't really buy it ...
tjh: there are ways to get things out
tyler: we might find out that if you need
documentation, then it's moot
... studies show that things need to get into interaction ...
... in order to work ...
<Zakim> tlr, you wanted to suggest we come back to the "create something"
tlr, billd: if standard works and is adopted, then user education won't be our problem
mez: goals/non-goals better as summary step?
http://www.w3.org/2006/WSC/track/actions/open
<scribe> ACTION: bwporter to produce voice browser use case? [recorded in http://www.w3.org/2006/11/15-wsc-minutes.html#action04]
<trackbot> Sorry, couldn't find user - bwporter
<scribe> ACTION: porter to produce voice browser use case [recorded in http://www.w3.org/2006/11/15-wsc-minutes.html#action05]
<trackbot> Created ACTION-22 - Produce voice browser use case [on Brandon Porter - due 2006-11-22].
mez: break early ...
... talk about next deliverables ...
... half-hour break now ...
reconvene at 10:42
<scribe> hi george, welcome
<staikos> hello
<staikos> :)
<scribe> ScribeNick: PHB
PHB appointed scribe by royal appointment
Thomas: Answers from most participants in the
group but 5...
... Answers that we do have: Jan 30th and 31st is best, only 2 conflicts
...
Proposed: Jan 30th to 31st on West coast.
<Pau1> Oh well, I'll be in Provo at a meeting at Novell.
... We checked the APWG and there is no conflict, no meeting
that month ...
... Thanks to Hal for the invite. ...
RESOLUTION: next face-to-face 30/31 January in San Jose, hosted by BEA
<tlr> thanks to BEA.
<staikos> The phone is much clearer today
MEZ: should note be before the rec
Mez: need to talk about all three since have a
heartbeat on all of them in the charter
... Discuss best practices for usable auth ...
... Touched a bit yesterday ...
... range of potential outcomes in tersm of specificty of best practices
... Thomas made bes attempt at formulating ewhat they might looo like
... Principles, worked examples for verifying, reusable assets
Hal: what do you mean by these (RSS icon)
Mez colours for signalling etc
Thomas: shouldn't look for colors at only signalling mechanism -- be clear about what we address
Mez: as a worked problem ...
... people have looked at use of colour
... CHI Computer human interface - put the computer first
Hal: MAN machine interface
... So now its called HCI
Are practices like patterns?
Hal: have heard people rant about how awful a web page is without giving reasons why it is awful
MEZ Earliest guidelines on menu placement were
an inch thick.
... but once you have toolkit no need for those
... toolkits ensure conformity
<maritza> http://www.useit.com/papers/heuristic/heuristic_list.html
Maritza points us to Jacob Nielsen's at URL above
Mez: Nielsen is good,
... I may take litterature with poetic license
... got some usefule(?) data points
... no place for that in note appropriately, may be spot in the
recomendations
Mez writeth: REC #1 Security Context List / Best Practice Principles
Thomas: Secuirty context information, how is
that context information displayed today if at all
... where are we? is presentation effective/ineffective
... certs are particularly bad... whagt is in dire need
... mapping that information into a level that can be understood
Thomas admist he cannot do 128 bit key fingerprints in his head
Hal: its not for that
Thomas: look at what is in the wild and what starting point is
Tim: look at the minimal set of context to discuss
<staikos> and we have no useful means to send fingerprints out-of-band
<tlr> tyler, can you send me your list?
Mez: there will be a minimal set, and other stuff
<Zakim> tjh, you wanted to ask if we have a security context list and what is a MINIMAL list of security context information (per the charter).
PHB also need the user context, what is the user trying to achieve here?
scribe: their problem is'am i safe', 'is this the same party I saw in the past', the objectives are user centered
Tim: agrees user perspective is important
... need to be able to express construcxts
... like don't send password over unencrypted link
<stephenF> +1 to phb's "same party as before" point
Hal: we can't say what the user really wants to know 'am I secure'
Bill: some of the time the link can be
presented as protection but there is no protection
... have this black and white presentation that does not match reality
... things say 'its good' when its not
Hal: this is easy to solve, if servers turn off
encryption then client does not present as secure
... IE now ships with SSL 2.0 turned off
Tim: How do I define safe
<staikos> KDE4 has SSL 2.0 removed completely in SVN
<hal> need to recognize that we cant really give the user the information they want: Am I safe?
<hal> we can inform them about various properties which can lead to being safe, but the browser does not have all the necessary data
<tjh> phb: we may not be able to answer "am I safe" - but perhaps we could answer "you're configured safe according to what A, B, or C thinks is safe"
<Pau1> PHP - so it sounds like you are recommending a set of best practices in this area that will be consistent across all the browser vendors.
PHB said something he will add later
Mez: We can't not a good starting point
Hal: I am not saying we can't give good info
... people don't want to be told about the minutiae ... data going
unencrypted over the network
PHB earlier: People can't be told 'I am safe' but we can tell them 'Bruce Schnier thinks you are safe, or PHB, or...'
Mez: Users don't have a security experts model but they do have a model
<stephenF> If we could tell them "you're as safe as yesterday" that'd be something
bill just going back into the protocol
scribe: certs are useless to the user 9today).
wanta go to a site
... information could be presented in much beeter format
... all user sees is dialog boxes they ignore, dilutes the user experience
Rob from IE: is it fair to say users dont have an acceptable security baseline
Bill yeah
Tyler: At hp we think in terms of users current expectations
<rfranco> Correction to PHBs note above
Tyler: anything they dsee as an exception is a
problem
... exception is the password field using star characters when link is not
encrypted.l
<rfranco> "is it fair to say that users don't know when they are at an acceptable security baseline"
<staikos> very nice observation
<staikos> rfranco: I think so
Tyler: phrasing it in terms of use
... expectations
<Zakim> PHB, you wanted to wife tech admin issue
Thomas: Throw usability and usefulness
PHB: also the issue of third party
... too many requests for expert advice when the web breaks for someone
Thomas: best practices
... Current practice: show the whole URL
... HTTP response headers what is done now
... nothing
Hal need to check IANA
Thomas: Cookie information
Mez dialogiue boxes
Hal unless you have policies says nothing
Rob Franco: what?
<staikos> Cookies are prompt-by-default in KDE
Hal: Nothing vcisible these days to say cookie has arrived
Chris: mysterious to user
PHB info is there but not useful
malware: there is a setting you can pu on to get a dialogue box
Thomas: I don't think thats the aspect we need to look at
Thomas: cookies are used for authentication, trigger display of a shared secret, user is at their bank again
Mez there are restrictions on cookie interchange
<staikos> The cookie interchange algorithms are getting very complex (and thus error-prone) too
all kind of useful cookie context indicators and ways they might be used as indicators
Hal: There are some specific cases where the cookie could be useful if it could be interpreted but they are opaque to the user so not useful
Mez: On to the next one
... Refering page
Hal: not displayed, is on the history of the
back button
... how do things get in history
<Mez> +me says sorry George, that's phil taking notes
Hal: see everything
<Yakov> exiting... will re-join the meeting at 2pm
PHB back button should not cause redirects forward
<staikos> The back button is actually a very challenging issue
tim how do you explain to your wife
PHB: I tell her thats the way the web is,
<tlr> Starting to edit list at: http://www.w3.org/2006/WSC/contextinfo.html
<staikos> PHB: In fact I think we should not put pages that cause redirect into the history at all
Mez going to make recomendations that stand up to attack
<malware> staikos, about loud typing, probably you are hearing phb, who's scribing (brother sort of seems to attack his keyboard...)
Mez: will get some wrong
... but we don't have to expect to get 100% right
Thomas: there is life after recomendation, can track errata, issue edited recommendations
Mez: something to consider
Thomas: might have extended maintenance mode
Hal: much more likely is recomendations will be
overtaken by events, people change attacks
... sendmail has lots of code to deal with ancient
... needs
PHB we have a dialectic system
MEZ: URL
Tyler: realy long urls to defeat attacks
Hal right justification, not left
<malware> PHB: a browser that has better security features is at a competitive advantage
<malware> (I think that's what he said)
Mez character set defensive mechanisms?
Thomas: techniques against equal looking IDNs?
Mez yes thats one
Hal hope most people have changed their access
system...
... problems on server side by parsing URLs ...
... construct a policy that matches something and people then create
strings
Thomas: i was talking about Paypal with a cyrilic a
<staikos> why use a cyrillic a when www.paqypal.com" is probably sufficient?
Thomas: dealt with today with restrictions on TLDs for which IDNs will be displayed
PHB problem is not just IDNs
Thomas: people read domain names the way they
read text, they don't look for errors
... anything that depends on proof reader skills is going to fail
<Paul> exiting...will be back between 2:30-3:00pm
PHB fixes the projection screen using his degree in nuclear physics
Mez there is the s in https: the yellow thing people do
Bill no real binding of SSL to a certificate
Hal: all the properties of the session
... separate out SSL on or off and other properties of the session
SSL on/off the PADLOCK !!
<Mez> Mez wants to know why George puts good ideasin a place the notes won't carrry forward
Maritza colours
<staikos> not a good idea yet :)
Tyler: the dialog boxes you get
Hal that goes in the next box
Bill can enable doesn't tell you its off
Tyler warning when not on an sssl site
mez this other dialog box that tells you when you are going secure and everyone disables
Mez beginning of the validity period I don't get that one
PHB: there is an operational reason for not validbefore -- fielding of up-to-date CRL
Bill: in ssl so there is no interface or mechanism that says what is the level of encryption I am usi ng
Mez you are right, should be logging
Mez is there if you dig
Bill needs to be there
Tyler phill got lost showing a cert property
PHB the Danny Weitzner test, if UI is not usable by DJW in quarter of an hour then reject
Hal: session properties in that box
... definitely want to know what type of crypt
Bill these are not necessarily certificate properties
Hal: reason I proposed the split i did is that you propbaly need a binary split and then detail
tyler: info on cipher not presented sould be down one, firfox reveals this
<Zakim> PHB, you wanted to suggest a box split
<staikos> would like to agree with PHB but no need to take phone time for that :)
<Zakim> malware, you wanted to about testing across browsers
PHB Merge the boxes so we don't conclude we need to represent SSL on off when the question is am I safe
malware: Need to teswt on more than just the
browser you are familiar with
... best current practices needs to be any widely used/available browser
Hal: point was to identify that which there is at least one example of
Bill: get back to the box in the breaqkout there is stuff from certificates currently bundled with SSL
Mez this is not the last pass
Hal/Bill discuss trust
Mez: you going anywhere?
Hal its up there
Mez take it away
<Zakim> PHB, you wanted to point out presenting base64 attribute does not communicate much
PHB trust level is displayed in IE7, address bar shows the issuer
malware: we have a three level indicator, but don't remember the details
<tlr> ACTION: msmith9 to find out more about Opera's numeric trust indicator [recorded in http://www.w3.org/2006/11/15-wsc-minutes.html#action06]
<trackbot> Created ACTION-23 - Find out more about Opera\'s numeric trust indicator [on Michael Smith - due 2006-11-22].
PHB there are several add on plugins display trust
Tyler: fiefox does strange things with the lock icon, greyed out states and such.
<staikos> phone went dead?
<staikos> hm well my comments: the n padlocks attempts proved disastrous (for KDE too) and going back to simple indicators is best in our experience.
<staikos> I'll dial back in after lunch
Thomas mismatch betwen domain name and subjectaltname is displayed
<Zakim> PHB, you wanted to need for debugger interface
PHB we got here because people needed a debugging caqpability flor their own sites. Should peobably have explict mode for this
Mez may be puchin bounds of the charter
Thomas: key into bookmarks with petnames as existing practice?
Mez its research, big field...
... protoypes? where is the line? ...
.. even if have colum need to fill it in ...
... widely available addons? ...
thomas maybe no experimental things...
... but let's put down our collected knowledge
mez no we are not i have a lot we are not putting down
Tyler: need experimental things to inform
working draft
... can easily list addons for firefox
Tyler overridable warning, in IE7 this is not completrely overridable
<scribe> ACTION: tyler give the URL of the antiphishing category for Mozilla/Firefox extensions [recorded in http://www.w3.org/2006/11/15-wsc-minutes.html#action07]
See ACTION-30.
Need to state that we have thought of the debugging mode requirement and explicitly put it out of scope.
Bill classification of certs in three classes
Hal: these classes are not currently agreed
PHB thats why we have CABrowser forum
<hal> I believe that tyler proposed "did not come from the site" as a general criterion for all the infomation, not as a specific row of the table
Thomas edits configured trust roots box
<hal> since he steped out, I cant ask him right now
<hal> btw, I disagrre with using this as a criterion, untrustworthy info should also be considered at least at this stage
Mez there is a place you can go to look at them
Maritza the user does not know who is pre-trusted
PHB: additional ones can be added without user asking
tyler: there are no policies even
... these are accidents of history
hal: while you were out...
... thought that you wanted to provide a general criteria rather than
something that applies to specific row
... row about additional data on site that dis not come from the site
deleted
tim bookmarks,
mez have a way to display
tim does any browser tell you the last time you visited
tyler don't know any browser that will tell you that you are at a previously bookmarked page
mez more info, can I look at my cache?
malware: if you open a console window...
tyler: your password manager
phb you can do that
tyler i can...
... you can get a list of all your cookies...
hal lots of incomprehensible details
tyler history gets updated as you browse
maritza: list of sites you have already filled in form information for
haql: you can see this locally?
maritza: one of the tabs is saved forms
mez reputaion
phb there are lots of antiphishing toolbars
mez not production
tyler IE7 and fireforx have these built in
malware: opera also has this feature
thomas adds to the matrix
mez past introductions from friends
hal nothing....
rob franco: wanted to detail the phishing
filter...
... for benefit of posterity does not check every url. ...
phb thats still reputation data
robfranco wanted to make sure privacy community got the full picture and we do protect privacy
hal: do you check agains for different url on the same domain name
rob yes for geocities!
scribe: maybe not for other properties, don't need to check bofa
mez redirection path
hal flashes in the address bar
tyler; we are doing potential? now only looking at what is curently being used
mez: we are just filling in the first
collum...
... was encouraging us to take a strict columnar approach so we can complete
before 430
hal: would suggest not even takling col 2 without the use cases
mez html page: spam filter like techniques ????
tyler: some phishing managers do this type of thing.
rob that is right if a site is unknown and has suspicious
mez target uri?
tyler the action uri for a form you are going to submit
thomas: mouse over hyperlink gives some this info
hal: javascript can override this behaviour for evil intent
PHB IP address...
... sometimes see ths come up.
... more thinkig in terms of reputation data keyed off IP
tyler: IE has long had a feature that classifies sites nby if its on your intranet internet...
rob IE has a security zone based on a set of
client heuristics, (describes) ...
... urls without a dot always come up as intranet ...
... home joined systems dont have intranet
<tlr> ACTION: Thomas to set up Wiki for group use [recorded in http://www.w3.org/2006/11/15-wsc-minutes.html#action08]
<trackbot> Created ACTION-24 - Set up Wiki for group use [on Thomas Roessler - due 2006-11-22].
<tlr> ACTION: Thomas to set up CVS access for Tyler [recorded in http://www.w3.org/2006/11/15-wsc-minutes.html#action09]
<trackbot> Created ACTION-25 - Set up CVS access for Tyler [on Thomas Roessler - due 2006-11-22].
mez notes need editor context pulls the contributon together.
mez notes charter of two recomendations and that they may be combined
user interface, trusted path (shared secret) credentials, passwords, question - web user agent to user?
<tjh> question on clarifying Recommendation two example of saying securing path from web user agent to user.
<tjh> maritza: yes, between browser and user.
browser personalization, the practices to setup a "secure"
session...
... examples limitations to scripting capabilities, dynamic, active content
to manipulate user interfaces. Security information presented on the
screen
<Tyler> https://addons.mozilla.org/search.php?q=phishing&type=E&app=firefox
<Tyler> That's a search for all anti-phishing addons for Firefox
mez personalization of the chrome, visual that provides a "secure" handshake
tlr notes action with browser that provides feedback to the user in a user friendly form
tjh notes network monitors security context information and use of seperate tools. seperate channel
<tjh> create some form of monitor that watches such security context information for connections and displays in some separated way.
mez notes that out of channel would not work SSL
tlr make the information available and in the right place
mez notes security context of personalization, "shared" secret. discussion on what is a secret. passwords, keys
tlr one deployed mechanism: secret where first
layer is based on cookies, tls and cookies that authenticates the user to the
sight and then stronger authentication applied...
... avoid site that looks like banking site, and replay attack
<tlr> ACTION: zurko to dig out papers about authenticating browser password entry dialogues to users [recorded in http://www.w3.org/2006/11/15-wsc-minutes.html#action10]
<trackbot> Created ACTION-26 - Dig out papers about authenticating browser password entry dialogues to users [on Mary Ellen Zurko - due 2006-11-22].
<stephenF> breaking off now, will rejoin irc before end
Issue comes up about portablity of shared secret
if shared secret is tied to a browser on a particular machine
<tlr> ACTION: Hal to review requirements from workshop record - due 2006-12-05 [recorded in http://www.w3.org/2006/11/15-wsc-minutes.html#action11]
<trackbot> Created ACTION-27 - review requirements from workshop record [on Hal Lockhart - due 2006-12-05].
tjh asks about the use of a proxy to help the user to stay in safe internet areas
hal notes the desire to standardize data provided by white / black list providers
hal suggestion, overhaul cookies and cookie management, since cookies contain a lot of security data.
scribe: cookies can be used to set up attacks
tlr client authentication - exchange credentials and then get cookie. support deployed base of credentials opposed to useing something like SAML and the benefits that a SAML token can provide
tyler trust of site based on usage of the site, refering page and site that you use all the time your bank, site that "trusted" agent gave to you
mez previous idea was securty stuff to show that the user had security - moving to stuff to show security
tjh build up the security level not useing shared secret - site puts up something to spoof shared secret
tlr classes of shared secrets
<tjh> tlr draws a picture showing communication from server to human/user, from server to browser/user-agent, and from user-agent to human/user
tjh techniques to render information securely 1
- shown, 2 not spoofed...
... notes "secure" information should not be spoofed ...
tlr notes interactive ceremonies as security handshakes that take place as a form or secure form is brought up
tyler information that only comes from particular areas on the screen or reserved areas that are not available to web content
<tjh> tyler use a second or other device to give feedback to user IF site contacted is one that was expected. Lack of that other device giving feedback would indicate a
<tjh> ... possible problem.
how to use two factor or out of band single factor, cell phone, email
hal better support and integration of different forms of credentials and management
mez - don't get to the web site in the first place
<Tyler> secure password based cipher suite for TLS
scribe: go to online mail, if the remote side cannot demonstrate knowledge of the shared key then the handshake progresses
Tlr address and shared secret because you have done business with this site before. expect that the site has knowledge of the shared secret and is used to complete the TLS session
tlr trusted path from user agent to user is also required in this case.
<tlr> ACTION: Thomas to clean up minutes [recorded in http://www.w3.org/2006/11/15-wsc-minutes.html#action12]
<trackbot> Created ACTION-28 - Clean up minutes [on Thomas Roessler - due 2006-11-22].
See tracker.